Disallow access to events and RSVPs out of scope

diff --git a/plugins/Event/showevent.php b/plugins/Event/showevent.php
index 7fb702f9dbeea5a80dec9d4584fb3f5c8ab2426b..1d4ec49205073c02fca5f9614b654b3d3e8d8fb1 100644 (file)
--- a/plugins/Event/showevent.php
+++ b/plugins/Event/showevent.php
@@ -77,6 +77,16 @@ class ShoweventAction extends ShownoticeAction
             throw new ClientException(_('No such event.'), 404);
         }
 
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->user = User::staticGet('id', $this->event->profile_id);
 
         if (empty($this->user)) {

diff --git a/plugins/Event/showrsvp.php b/plugins/Event/showrsvp.php
index fde1d48f0e773d0d85b7ebf8a60b15603ff46559..0f13ca82acdc400638cb68c9219868ba902ad276 100644 (file)
--- a/plugins/Event/showrsvp.php
+++ b/plugins/Event/showrsvp.php
@@ -83,6 +83,16 @@ class ShowrsvpAction extends ShownoticeAction
             throw new ClientException(_('No such RSVP.'), 404);
         }
 
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->user = User::staticGet('id', $this->rsvp->profile_id);
 
         if (empty($this->user)) {